Redis RediShell Vulnerability (CVE-2025-49844): What You Need to Know

When one of the most widely used databases in the cloud world turns out to have a critical flaw, it’s worth paying attention. Redis has recently been found vulnerable to a serious Remote Code Execution (RCE) bug. The flaw, patched by Redis on October 3, 2025, could let attackers gain complete control of affected servers under specific conditions.

Let’s break down what CVE-2025-49844 is, how it works, and what organizations should do now.

What Is CVE-2025-49844?

CVE-2025-49844, dubbed RediShell, is a use-after-free vulnerability inside Redis’s Lua scripting engine. By sending a maliciously crafted Lua script, an attacker who already has authenticated access can manipulate Redis’s garbage collector to execute arbitrary native code on the host machine.

Details of CVE-2025-49844 (SOCRadar Vulnerability Intelligence)

The vulnerability was responsibly disclosed by Wiz researchers Benny Isaacs, Nir Brakha, and Sagi Tzadik, in collaboration with Trend Micro’s Zero Day Initiative (ZDI).

How Critical Is CVE-2025-49844?

Redis scored this issue 10.0 on the CVSS scale, the highest possible severity. That means the flaw can potentially lead to full RCE, escaping the Lua sandbox, and giving the attacker unrestricted access to the underlying system.

It is important to note that all Redis versions with Lua scripting are impacted.

How Long Has This Flaw Been Around?

According to Wiz Research, the bug traces back nearly 13 years – an artifact that persisted through multiple Redis generations. This makes it one of the longest-lived vulnerabilities recently uncovered in a modern cloud-native technology stack.

How Widespread Is the Exposure?

Because Redis is embedded in roughly 75 % of cloud environments, the exposure is enormous. In their scan, Wiz identified about 330,000 internet-exposed Redis instances, many of them with no authentication enabled at all.

How Does RediShell Work?

At a high level, the exploit flow involves four stages:

Initial Exploitation – The attacker sends a malicious Lua script that triggers the use-after-free bug.
Sandbox Escape – The script breaks free from the Lua interpreter, allowing native code execution.
System Compromise – The attacker can steal SSH keys, cloud tokens, or run malware directly on the host.
Lateral Movement – Using stolen credentials, the attacker can pivot across the network or cloud environment.

RediShell attack flow (Wiz)

This chain effectively transforms a simple Redis script feature into a gateway for complete host takeover, an especially concerning outcome for multi-tenant cloud infrastructures.

Who Is at Risk?

According to the researchers, the degree of risk depends on how Redis is deployed:

Critical Risk: Redis instances that are publicly exposed without authentication. Wiz reports that more than half of Redis deployments run as containers that often skip authentication defaults.
High Risk: Instances open within internal networks where lateral movement is possible after a breach.
Moderate Risk: Properly secured instances where attackers must first authenticate, though these can still be compromised if credentials are stolen elsewhere.

While there is no evidence of exploitation in the wild so far, Redis servers are frequent targets for botnet operators, and also cryptojacking attacks.

How Can You Mitigate the RediShell Vulnerability?

Redis and Wiz jointly recommend immediate mitigation steps:

Upgrade Immediately – Apply the patched versions:
- All Redis Software Releases: 7.22.2-12+, 7.8.6-207+, 7.4.6-272+, 7.2.4-138+, or 6.4.2-131+
- Redis OSS/CE/Stack releases with Lua scripting: 8.2.2+, 8.0.4+, 7.4.6+, or 7.2.11+
Restrict Access – Use firewalls, VPCs, and network rules to limit Redis exposure to trusted hosts.
Enable Authentication – Enforce passwords via requirepass and disable unauthenticated modes.
Disable Lua Scripting if Unused – Restrict EVAL and EVALSHA commands with ACLs.
Run Redis as a Non-Root User – Limit privileges to reduce impact in case of compromise.
Monitor Activity – Watch for unusual Lua scripts, unexplained crashes, or anomalous traffic.

For self-managed deployments, full remediation is achieved only after upgrading to the patched releases.

For details on affected versions and official guidance, refer to the Redis security advisory.

Ensure Continuous Monitoring with SOCRadar to Prevent Similar Incidents

Ongoing visibility is critical to detecting and prioritizing vulnerabilities before they can be exploited. SOCRadar’s Cyber Threat Intelligence and Attack Surface Management (ASM) modules enable organizations to continuously map exposed assets, track emerging threats like CVE-2025-49844, and assess which systems are most at risk.

SOCRadar’s Attack Surface Management module, Company Vulnerabilities

By combining real-time exposure monitoring with contextual intelligence, teams can move from reactive patching to proactive vulnerability management, closing the gap before attackers can act.